Whitehat program

The service has a public whitehat or security bounty program? Yes / No

A whitehat program, also known as a security bounty program, is a published guide that shows how the service deals with security researchers. The purpose of a whitehat program is to encourage legit security research to cover issues on the service and credit third parties for doing this work.

The third-party security researches usually scan the service using web security audit tools like Burp Suite and try to discover XSS, CSRF, database injection and authorization flaws.

The whitehat program usually includes information about:

• How to contact the service when reporting security issues
• What response time one should expect
• Security issue types that are eligible for bounty
• The amount of the bounty and how it is paid
• Crediting the researcher for uncovering the issue

There exist third party services facilitating the creation and management of whitehat programs (Cobalt, HackerOne).

Applies for: Medium and large enterprises

Related incidences:

• Starbucks
• Coinbase

Links:

• Cobalt
• HackerOne